SCADA Articles on SCADA World

Securing SCADA and Control Networks

2010-07-06 21:58:45views: 813Scott Howard, Byres Security Inc.

Securing SCADA and Control Networks

Early SCADA (Supervisory Control and Data Acquisition) and control networks consisted primarily of isolated islands of proprietary hardware and software. In recent years however, the availability of control equipment based on open standards such as Ethernet, TCP/IP and Windows PC has led to an explosion in the complexity and 'interconnectedness' of these systems. Tremendous improvements in plant performance and productivity have been realized through these changes; however, these productivity gains will not continue in the future without corresponding security improvements in these systems. In addition, safety-critical plants such as chemical, power, and oil and gas facilities can put human safety at risk if their control networks are not properly secured.

Vulnerable 'soft' targets abound in these networks. PLCs (Programmable Logic Controllers) are optimized for high-performance real-time I/O, not robust networking. Many of these devices will crash if they receive malformed data packets, or even high rates of correctly formed data, from the network. This was the root cause of an incident at the Browns Ferry nuclear power plant in Alabama in August 2006. Excessive traffic on the control network caused both the primary and backup reactor cooling systems to crash, necessitating a manual shutdown to keep the reactor core within safe operating limits.

Open standards provide flexible solutions

Trusted Network Connect (TNC) is a work group of the Trusted Computing Group (TCG), a non-profit industry standards consortium focused on strong security through trusted computing. TNC standards define a set of open architectures and interfaces that allow confirmation and enforcement of an endpoint’s integrity, its compliance with security policies, and its rights to access other network resources. TNC is completely open and vendor-neutral, and major vendors such as Microsoft and Juniper Networks have implemented TNC interfaces.

TNC defines several key system components. Policy Enforcement Points (PEP) are the first line of defense; when an endpoint device attaches to the network, the PEP will query a Policy Server to find out what (if any) network access rights should be assigned to the endpoint. Policy Servers, in turn, can interface to other resources such as Lightweight Directory Access Protocol, (LDAP) when making decisions about access rights. Sensor devices can monitor and report on the behavior of endpoints through a Metadata Access Point (MAP) server. TNC standardizes communication between these components at the network, transport, and application layers.

MAP acts as a central clearinghouse, using a ‘publish and subscribe’ model to share data across a huge variety of security and networking systems. Any networking and security technology can be a MAP client; examples include intrusion prevention system (IPS) platforms, vulnerability scanners, firewalls, physical security systems such as badge access solutions, and even application servers. These components can act as sensors adding data to the MAP and/or act upon information received from other components.

Figure 1: TNC manages network traffic between secure zones and allows only authorized clients into the control network.

Applying TNC in SCADA and Control Networks

Although TNC was originally conceived for protection of IT networks, it addresses many security issues that are also encountered in industrial control and SCADA systems. Several TCG members are working together to implement the TNC architecture in these networks, based on the Tofino Security Appliance. Besides significant security improvements and cost savings, TNC offers the potential to manage security policies for both the enterprise and control/SCADA networks from one set of tools. In addition, the open design of TNC enables the deployment of security systems that are much more comprehensive and flexible than those based on proprietary technologies.

About the Author
Scott Howard is Technical Sales Manager at Byres Security Inc., a world leader in security solutions for process control, automation and SCADA systems. Scott has over 25 years’ experience in embedded system development, technical sales and product marketing.


SCADA Articles

Using Free Tools To Detect Attacks On SCADA Networks
2015-05-09 14:28:25views: 1865

ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations. Operators at Natanz nuclear facility in Iran might well have caught Stuxnet before it spread and sabotaged operations at the plant if they had been watching the wires for anomalous network traffic, a pair of ICS/SCADA experts say.

Hackers gain full control of critical SCADA systems
2015-05-09 14:04:07views: 1964

Russian researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. The vulnerabilities were discovered by researchers who over the last year probed popular and high-end ICS and SCADA systems used to control everything from home solar panel installations to critical national infrastructure.

SCADA Attacks Double in 2014
2015-05-06 07:17:15views: 1731

Annual threat report from Dell Security shows not only a significant surge in the number of attacks on retail credit card systems, but industrial SCADA systems as well, which are much more likely to go unreported.
For Dell to report an annual surge in point-of-sale (POS) attacks aimed at payment card infrastructures might not be such a surprise to people who pay any attention to the news.

The Industrial Software Revolution Begins Now
2013-10-16 11:33:59views: 2311

Invensys is kicking off the conference “The Industrial Software Revolution Begins Now” and underscoring the ‘revolution’ concept with the release of its Wonderware InTouch 2014 and Wonderware System Platform 2014 software.

Integrating Video into HMI/SCADA
2012-06-29 10:19:55views: 2594

The useful integration of video with industrial control systems has been a reality for a few years, but a burst of applications and installations is on the horizon. Cheaper bandwidth, wide availability of Internet protocol (IP) cameras, and greater familiarity with industrial Ethernet networks seem to be driving user interest.

AdvancedHMI - a different approach to HMI development
2012-06-14 10:46:48views: 1857

AdvancedHMI base package is a free software used to build HMIs that display information residing in a PLC. You will find it to be one of the fastest platforms to build an HMI with. The software takes advantage of the Visual Basic .NET development environment so effort is focused on the core software and not reinventing a development environment.

Web Services and SCADA
2012-06-12 23:06:33views: 1414

Web services can be another method for connectivity to SCADA and MES systems. They can retrieve tomorrow's weather, the price of stocks or commodities, the time of sunrise and sunset, and a slew of other publicly-available resources.

SCADA virtualisation with WinCC Version 7
2011-12-21 12:01:11views: 1353

As automation solutions become increasingly complex, it follows that the effort required to maintain both hardware and software will also increase. PCs must be provided with suitable specification and operating systems to support the applications.

Cloud-Based SCADA Systems: The Benefits and Risks
2011-12-20 22:57:31views: 970

Cloud computing is a hot topic. As people become increasingly reliant on accessing important information through the Internet, the idea of storing or displaying vital real-time data in the cloud has become more commonplace. With tech giants like Apple, Microsoft, and Google pushing forward the cloud computing concept, it seems to be more than just a passing trend.

An alternative to DCS or PLC/SCADA
2011-10-04 13:46:22views: 923

Traditionally, users have had a choice between a DCS or a PLC/SCADA approach when selecting a control system for use in process control applications. A key benefit of traditional DCSs was that the suppliers took a ‘systems approach’ and it was designed for large scale applications.